[Grml] How to verify daily snapshot downloads
Michael Prokop
mika at grml.org
Wed Apr 19 15:32:17 CEST 2017
Hi,
* Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
> today I've taken a look at a daily image for grml.org
> and found no way to verify that the image I'm downloading actually is
> from your build machines.
> http://grml.org/daily/
> leads me to something like
> http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
> where there are no OpenPGP signatures available.
> and the https variant or the url does not show the files.
> This is a problem because a downloader like can be attacked by serving a
> different iso file and the corresponding checksums. To prevent this attack
> you could
> a) also use https on the daily.grml.org server
> b) Use a new OpenPGP build-key without password, publish the pubkey on the
> https mainsite and use the key in the automatic building process to generate
> the detached signatures.
Good idea, I'll add this to our todo list.
Thanks!
regards,
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/5fcb4b33/attachment.sig>
More information about the Grml
mailing list